revengerat | ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f

Analysis

max time kernel
145s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 02:00

Target

Lotus.exe
Size

136KB
MD5

b9d014296827c8d325ba1e1b0f4b2793
SHA1

8749106256cdca0d200f76728d0a873dd13c22e9
SHA256

ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
SHA512

6d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
SSDEEP

3072:rssOu1QbkQzxsf9vIyqhSJTibjMJGEA1u4B+:rsslkkQMvqUibg8EEj+

Score

10^/10

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4836-135-0x0000000000710000-0x0000000000738000-memory.dmp	revengerat
behavioral2/memory/4836-138-0x0000000000710000-0x0000000000738000-memory.dmp	revengerat
behavioral2/memory/4836-141-0x0000000000710000-0x0000000000738000-memory.dmp	revengerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

Lotus.exe

description pid process target process

PID 2396 set thread context of 4836 2396 Lotus.exe aspnet_compiler.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4900 4836 WerFault.exe aspnet_compiler.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Lotus.exe

description pid process

Token: SeDebugPrivilege 2396 Lotus.exe

description	pid	process	target process
PID 2396 set thread context of 4836	2396	Lotus.exe	aspnet_compiler.exe

pid	pid_target	process	target process
4900	4836	WerFault.exe	aspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	2396	Lotus.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Lotus.exe

description	pid	process	target process
PID 2396 wrote to memory of 4836	2396	Lotus.exe	aspnet_compiler.exe
PID 2396 wrote to memory of 4836	2396	Lotus.exe	aspnet_compiler.exe
PID 2396 wrote to memory of 4836	2396	Lotus.exe	aspnet_compiler.exe
PID 2396 wrote to memory of 4836	2396	Lotus.exe	aspnet_compiler.exe
PID 2396 wrote to memory of 4836	2396	Lotus.exe	aspnet_compiler.exe
PID 2396 wrote to memory of 4836	2396	Lotus.exe	aspnet_compiler.exe
PID 2396 wrote to memory of 4836	2396	Lotus.exe	aspnet_compiler.exe
PID 2396 wrote to memory of 4836	2396	Lotus.exe	aspnet_compiler.exe
PID 2396 wrote to memory of 4836	2396	Lotus.exe	aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
2⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 200
3⤵
- Program crash
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4836 -ip 4836
1⤵
PID:336

memory/4836-135-0x0000000000710000-0x0000000000738000-memory.dmp

Filesize
160KB

Download
memory/4836-138-0x0000000000710000-0x0000000000738000-memory.dmp

Filesize
160KB

Download
memory/4836-141-0x0000000000710000-0x0000000000738000-memory.dmp

Filesize
160KB

Download